Featured:
Allergies
Tech Know
Grilling Guide
eHow Now Blog

How to Perform Computer Forensics on a Laptop

How to Perform Computer Forensics on a Laptop thumbnail
Laptop forensic analysis reveals data about a user's computer activity while on the go.

Computer forensics on laptops present challenging issues of data preservation, efficiency and accuracy. Forensic investigators can glean a lot of user information from these portable devices because often the target uses them to conduct business quickly and on-the-fly, while not leaving time to erase tracks or encrypt data. Most forensic analysis of laptop computers is done offline (on a system that is powered down) rather than on a live system, as users tend to turn off laptops after use. Most of the same principles of computer forensics apply to laptop investigation, with the added challenge of working with smaller and more portable internal parts.

Things You'll Need

  • Computer disassembly tools
  • IDE/SATA hard drive adaptor
  • Forensic analysis workstation
  • Computer forensic live CD
Show More

Instructions

    • 1

      Properly categorize the target system and removable devices. Effective computer forensic analysis hinges on proper record keeping. Accurately describe the scene where the laptop was found and the condition the target laptop was in when it was removed from the scene. Any physical evidence, such as fingerprints and DNA, must be gathered from the machine before analysis to ensure forensic reliability. In addition to properly gathering, categorizing and examining evidence, establish a chain of custody for all tangible evidence. This provides a traceable sequence of forensic examiners that are responsible for the security and purity of target systems, such as laptops.

    • 2

      Extract the target hard drive and removable devices from the powered-off system. Remove the drive carefully, ensuring no parts are damaged by static electricity or physical force. Take out only the necessary media (hard drive, CD-ROMs, USB/Flash Drives), preserving as much of the target system as possible in its original form. Place the removable media on a static-free workstation away from dust or other contaminants and connect the appropriate cables to the host system and target media for data copy.

    • 3

      Create a bit-for-bit copy of the target data. Using a utility such as dd (data dumper) or netcat, carefully copy the data from the host media to a forensically clean (erased and zeroed) medium for analysis. Verify that the unique checksum of the target and copied data match by running a utility such as md5sum or sha1sum. After verifying the unique fingerprints of the data match exactly, place the original media back into the target system and secure for storage.

    • 4

      Run pattern-matching and other software-based forensic detection tools on the target copy. Since the copy of the target data matches the host data bit-for-bit, any analysis conducted on the copy is just as effective as it would be on the original. Run pattern matching programs, such as grep or file extraction mechanisms like Scalpel to find and analyze data of interest.

Tips & Warnings

  • Be sure to obtain a search warrant or permission from the system administrator or owner before conducting a forensic examination on a laptop.

Suggest item

Related Searches:

References

  • Photo Credit laptop image by Angie Lingnau from Fotolia.com

Comments

You May Also Like

Related Ads

thumbnail
Featured